Thousands of Zimbra servers vulnerable to actively exploited flaw

Over 10,000 Zimbra Collaboration Suite (ZCS) instances remain exposed online and vulnerable to ongoing attacks exploiting a cross-site scripting (XSS) security flaw, according to nonprofit security organization Shadowserver. Zimbra is a widely used email and collaboration software suite utilized by hundreds of millions globally, including numerous government agencies and businesses. The vulnerability, tracked as CVE-2025-48700, affects multiple versions of ZCS and allows unauthenticated attackers to access sensitive information by executing arbitrary JavaScript within a user's session, according to a recent report by Bleeping Computer.

The vulnerability affects Zimbra Collaboration Suite versions 8.8.15, 9.0, 10.0, and 10.1. Exploitation requires no user interaction and can be triggered when a user views a maliciously crafted email in the Zimbra Classic UI. Synacor released security patches in June 2025. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged CVE-2025-48700 as actively abused in the wild and added it to its Known Exploited Vulnerabilities Catalog, ordering Federal Civilian Executive Branch agencies to secure their Zimbra servers by April 23.

Shadowserver reported over 10,500 unpatched Zimbra servers exposed online, with the majority located in Asia and Europe. Similar XSS vulnerabilities have been exploited by state-backed actors like APT28 and APT29 in targeted attacks against government entities and organizations.

Source: Bleeping Computer